Today, the Senate Judiciary Committee explored the implications of a Department of Justice (DoJ) set of actions which have threatened the entire cloud computing services industry and basic Internet freedoms. This Justice policy, if not permanently revoked by legislative action, will cause continued consumer uncertainty at best and at worst a complete collapse of the current multinational cloud computing system.
While the DoJ may attempt to minimize the impact of their policy and legal overreach, it is important to understand the many legal, regulatory, societal, cultural challenges — each with separate domestic and international implications — this policy would create if President Trump’s Attorney General chooses to follow this shortsighted policy decision by President Obama.
In 2013, the Department of Justice undertook a seemingly routine investigation of a U.S. citizen. Investigators requested data associated with his known email accounts. Under an existing statute passed in 1986, Microsoft attempted to comply, only to discover that though the user is American, the person was living in and regularly accessing their account from Ireland.
The architecture of cloud computing is focused on maximizing system efficiency. This resulted in the cloud automatically locating the user’s account data on servers in Ireland, not within the borders of the United States. Microsoft, following existing international law, was forced to refuse to transfer the data back to the United States solely for the purpose of giving DoJ investigators access to the data.
Surprisingly, DoJ attempted to strong arm Microsoft into violating both Irish law and international agreements. There seems to be no true reason for the DoJ’s course of action – other than a tantrum similar to Veruca Salt’s “I want it now!“. The Department of Justice already has a long-standing existing system in place to facilitate investigators access to data in another country. Using any one of several longstanding bilateral agreements known as MLATs (Mutual Legal Assistance Treaties), investigators gain ready access to data outside of U.S. boundaries – as long as the legal protections of the second country are satisfied.
But DoJ simply chose to ignore this existing solution, attempting to force Microsoft to violating both European Union Data protections and Irish national law or choosing to enter into what was obviously going to be a long, drawn out legal battle with the American government.
Luckily for cloud computing, the Internet and the personal data privacy of the American people, Microsoft choose to object to the demands of the US DoJ and force legal action. While the current decision by the Second Circuit Court of Appeals affirms existing US law and reaffirms the need for the DoJ to respect other countries’ laws, this policy decision by the US Department of Justice makes it obvious that it is far past time for Congress to affirmatively act to update the law governing how the Government can legally access information in the course of a legal investigation.
Make no mistake, the existing decision by the Courts should not be held lightly. Any further action by the Department of Justice could easily cause significant international outcry no less damaging than past errors by the Obama Administration. The outcome would force each individuals’ cloud computing files to be located only in one country. Known as “Data Localization,” this eliminates a vast majority of the advantage of the cloud network while also severely constraining individual citizens’ ability to be part of the mobile workforce. Files must be saved and accessed on one office server, no matter where in the country or the world the user happens to be located. This used to cause significant user problems while creating significant lost work hours. Forcing the multinational cloud computing industry to completely change into a system constrained by geopolitical lines and with server farms duplicated in each country around the globe would threaten the very existence of a new and robust US-based industry. A change of this nature would drastically cut the increasing number of high paying jobs available within the US, eliminate a large sector of US-based startups and negatively impact the rate of US-led innovation in related industries.
Let’s not overlook the immediate converse of an action like the DoJ’s. A US policy allowing investigators to ignore the sovereign laws of another nation would place every cloud service in the position of granting similar requests from any other government.
No American citizen would want their data stored anywhere but within the US borders. This would be the only manner in which our data would be safe from any other government’s random investigation. Would any of us feel safe storing our personally identifiable information, account passwords, financial or health records online where the merest request from a “pliable” Third World government would force a US company to cough up the goods?
Would you want Chinese “investigators” sifting through your personal records? Perhaps the various hacking communities scattered throughout Eastern Europe would find it more efficient to collect our personal information via legal means rather than hacking, but the result would likely be more identity theft, more hacked accounts, more consumer distrust of the Internet, online commerce and yet less ability to protect ourselves.
What would the affect be on US reporters if their freedom of the press were subject to personal and professional pressure, even blackmail by unnamed and untraceable online parties? What would be the affect of US citizens who now have the Constitutional right and the freedom to criticize other governments? Their personal information would be open to not simply hacking but ready access by the same governments they dared to criticize. Can anyone believe this would not crush American rights?
The solution is obvious. The Department of Justice must permanently abandon this policy. Congress must act to update existing laws governing warrants and the collection of electronic data, specifically the Electronic Communications Privacy Act and the Stored Communications Act.